Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 Lead Auditor Course
I have several questions concerning ISO 27001 Lead Auditor Course.
1.- For example if someone has passed this type of course for ISO 27001:2005, can he be the lead auditor for implementation of ISO 27001:2013. Also if someone passes the course for ISO 27001:2013, can he be the lead auditor for the next version of this standard.
2.- My second question is the approximate price of the ISO 27001 lead auditor course .
3.- The next question is the following: Is it necessary to pass the course for internal auditor before taking the course for lead auditor, or you can go straight to the course for lead auditor.
4.- Is ANSI accredited certificate through PECB valid all over the world.
5.- Is English the only language for taking the exam and gaining the ISO 27001 lead auditor certificate, here I am not talking about the attending language of the course.
6.- Can you point me some science conferences in Europe concerning information security standardization.
Answer:
1.- If you have the course of ISO 27001:2005, and you are Lead Auditor with this standard, generally you need to perform other course for the adaptation to ISO 27001:2013, otherwise you only have the certificate for Lead Auditor ISO 27001:2005, which can give you problems to demostrarte your experience with ISO 27001:2013. Anyway, keep in mind that the Lead Auditor course is not for implementers, please read this article Lead Auditor Course vs. Lead Implementer Course Which one to go for? : https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/
2.- It depends on the company or the trainer, but I think that an estimation can be between $1.000-3000 (40-50 hours)
3.- You can go to the lead auditor course
4.- There are different things. Professional Evaluation and Certification Board (PECB) is an American personnel certification body, while American National Standards Institute (ANSI) is the official US representative of the International Organization for Standardization (ISO) which is related to the certification of companies. So, if you are interested in a personal certification, you can perform a PECB official exam, and you will the accreditation of a US company. For more information about certification for persons vs. organizations, please read this article ISO 27001 certification for persons vs. organizations : https://advisera.com/27001academy/iso-27001-certification/
5.- Depends on the company. Probably in your country there are various companies that perform the course/exam that you want in a local language. Anyway, keep in mind that we have resources in various languages, for example you can see this free webinar ISO 27001 Lead Auditor Course preparation training : https://advisera.com/training/iso-27001-lead-auditor-course/
6.- ENISA is the European Union Agency for Network and Information Security, and I think that there you can find information about conferences: https://www.enisa.europa.eu -
Implementation of A.14.3.1 and A.14.2.5 controls
What we have to do for implementation of A.14.3.1 control? also A.14.2.5 Secure System engineering principles?
Answer:
Regarding to the control A.14.3.1, basically you need to implement a control access for the data that the organization uses for tests.
Regarding to the control A.14.2.5, you can read in the "Implementation guidance" of the control 14.2.5 the following: "Security should be designed into all architecture layers (business, data, applications and technology) balancing the need for information security with the need for accessibility". So, this control is related to the large information system design, which also include the development of software. Anyway, you can use our template to implement this control in your organization (you can see a free version if you click on "Free Demo" tab) "Secure Development Policy": https://advisera.com/27001academy/documentation/secure-development-policy/. And also you can use this template related to IT procedures "Operating Procedures for Information and Communication Technology" : https://advisera.com/27001academy/documentation/security-procedures-for-it-department/ -
Supplier policy and risk assessment & treatment
If you can help me about
- example about Supplier relationship policy based on ISO 27001.
- Example methodology based on likelihood and impact criteria.
Answer:
Sure, this is your site. Regarding to the supplier relationship, this article can be interesting for you 6-step process for handling supplier security according to ISO 27001 : https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/. At the end of the article, you have a link to the template Supplier Security Policy, you can see a free version clicking on Free Demo tab.
Regarding to the methodology, I suppose that you are referring to the risk assessment & treatment. If so, this article can be interesting for you How to write ISO 27001 risk assessment methodology : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/. And also, at the end of the article, you can find the free template Risk Assessment and Risk Treatment Methodology. This method ology is based on assets, and the risk is calculated by likelihood and consequences (similar to impact) of threats and vulnerabilities. -
Actions to address risks and oportunities - 6.1.1 General
There is no mandatory to have a document for the clause 6.1.1, where you need to have a document is in the clause 6.1.2 and 6.1.3, which are related with 6.1.1 and they describe how to address risks and opportunities. You can see in the standard, at the end of these clauses, "The organization shall retain documented information about.." So, when you see it in a clause, means that you need a document.
If you want to see the list of mandatory documents (and non mandatory) of the standard, please read this article "List of mandatory documents required by ISO 27001 (2013 revision)": https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Users and passwords
Can you give easy explanation about
1) A.9.2.2
2) A.9.2.4
3) A.9.3.1
4) A.9.4.3
Sometimes, i have a little confuse about this
Answer:
Sure, I will give you an example for echa one:
1) A.9.2.2 User access provisioning: I give you an user with privileges of read/write to a folder (according to a procedure)
2) A.9.2.4 Management of secret authentication information of users: I give you your password in a secure manner (according with a procedure), for example: the organization needs to verify your identity, the use of external parties or unprotected electronic messages should be avoided, you should acknowledge receipt of secret authentication information, etc.
3) A.9.3.1 Use of secret authentication information: You should follow the organizations practices in the use of passwords, for example: not share individual users secret authentication information, ensure proper protection of passwords, not use the same secret authentication information for business and non-business purposes, etc
4) A.9.4.3 Password management system: You use in your organization a software to manage passwords, for example Active Directory (Windows environments), OpenLDAP (Linux and Windows environments) -
Procedure for identification of Requirements
Im currently writing on Procedure for Identification of Requirements, Im having difficulties figuring out the requirements, can you give me some examples?
Answer:
Sure, welcome back. The most important point here is to identify the applicable laws in your country. Here you can find a list of international laws related with information security: https://www.infosecpedia.info/laws-regulatio*******************************************
Another important point is the identification of interested parties, and here you can find more information about this How to identify interested parties according to ISO 27001 and ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301// -
Doing risk assessment department wise
ISO 27001 does not define how you should organize risk assessment - in any case, for all of your departments you should use the same risk assessment methodology. However, if your company is not very small, i.e. if it is bigger than 20 employees, it would be good to organize risk assessment by departments because it makes it easier to speak to the right people.
See also this article: How to organize initial risk assessment according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/04/29/how-to-organize-initial-risk-assessment-according-to-iso-27001-and-iso-22301/ -
Registered Implementer
I am looking at giving the certification a shot this quarter as a step towards becoming a registered implementer after which your very robust tools will come handy but in the immediate, I will require advise from you an tips for engaging the certification exam.
Answer:
I suppose that you know that there are no accreditations for the Lead Implementer course, so maybe can be interesting for you the ISO 27001 Lead Auditor course, because it has accreditations. Anyway, we do not have specific information about the exam of the Implementer course, but I think that this article can help you Lead Auditor Course vs. Lead Implementer Course Which one to go for? : https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/ -
ISO software
I was wondering if you could give me your opinion on all-inclusive ISO Software. I have worked with ISOXpress in the past and thought it worked good but I was wondering if you knew of any others or could recommend any other software?
Answer:
Sorry but we do not have information about this tool, keep in mind that to have a tool in your Management System is not mandatory, anyway this article can be interesting for you When to use tools for ISO 27001/ISO 22301 and when to avoid them : https://advisera.com/conformio/blog/2021/06/24/toolkit-vs-conformio-which-is-more-applicable-for-my-company/ -
Partnerships under clause 4.1 and/or 4.3
I have another quick question. Should I define any partnerships under clause 4.1 and/or 4.3? Or should they be incorporated only into the subcontractor policy and procedures?
Answer:
Sure, you can define your partnerships under the context of your ISMS, and you can also consider a partnerships like a interested party (clause 4.2 Understanding the needs and expectations of interested parties), so this article can be interesting for you How to identify interested parties according to ISO 27001 and ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//